tag:www.schneier.com,2016:/blog//2/tag:www.schneier.com,2013:/blog//2.5002-2016-09-03T04:56:44ZComments for iPhone Fingerprint AuthenticationA blog covering security and security technology.Movable Typetag:www.schneier.com,2013:/blog//2.5002-comment:1770757Comment from Bill H on 2013-09-23Bill H
As the Chaos Computer Club people who just announced hacking the iPhone scanner point out:

"iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands."

]]>
2013-09-23T11:46:41Z2013-09-23T11:46:41Ztag:www.schneier.com,2013:/blog//2.5002-comment:1748014Comment from mr nuh on 2013-09-17mr nuh
The only notable benefit to fingerprint verification is that it increases credibility of the person (like online shopping).

Then, there is a nasty possibility of your fingerprint record being gathered by rogue spy or hacker. One can never have a peaceful mind with such feature.

]]>
2013-09-18T04:51:21Z2013-09-18T04:51:21Ztag:www.schneier.com,2013:/blog//2.5002-comment:1740934Comment from Jeff K on 2013-09-16Jeff K
@Al
On privacy concerns and "what if", see the post by Hagai Bar-El at:http://www.hbarel.com/index.php/privacy-risky-apple-fingerprint-reader
]]>
2013-09-16T10:32:51Z2013-09-16T10:32:51Ztag:www.schneier.com,2013:/blog//2.5002-comment:1737968Comment from Klaus Düll on 2013-09-15Klaus Düllhttp://pretioso-blog.com
I totally disagree with Bruce in this point. I consider the fingerprintreader as the perfect tool for the NSA. This misuse of technology is implemented to every technology and the NSA will use every effort to take advantage of this unacceptable feature of the new iPhone. For those who speak German - I have written my very different opinion on this technology in a blog post: http://pretioso-blog.com/iphone-5s-nach-vorne-denken-ok-apple-steigt-zum-waffenhersteller-auf-das-wettrennen-der-hersteller-um-die-liebe-der-nsa/]]>
2013-09-15T11:38:05Z2013-09-15T11:38:05Ztag:www.schneier.com,2013:/blog//2.5002-comment:1736209Comment from some internet dude on 2013-09-14some internet dude
NSA must be salivating, they will potentially have every iPhone users fingerprint on file.]]>
2013-09-14T23:05:17Z2013-09-14T23:05:17Ztag:www.schneier.com,2013:/blog//2.5002-comment:1727502Comment from Petter on 2013-09-12Petter
When will the first drunk/sleeping fingerprint-login face rape occur?
When will the first instance of US Customs forcing someone to press their thumb against the reader to get into the phone?
Will you be able to refuse to give you thumb to the police?
There are so many cuestions that need to be answered about the feature.]]>
2013-09-13T02:46:17Z2013-09-13T02:46:17Ztag:www.schneier.com,2013:/blog//2.5002-comment:1725524Comment from Adrian on 2013-09-12Adrian
"It's a different matter entirely if your fingerprint is used to authenticate your iCloud account. The centralized database required for that application would create an enormous security risk."

Indeed. For fingerprints to become acceptable as online authentication credentials, fingerprint templates need to be cancelable and irreversible. Without that, online storage of fingerprint templates is a terrible idea.

]]>
2013-09-12T18:14:53Z2013-09-12T18:14:53Ztag:www.schneier.com,2013:/blog//2.5002-comment:1723523Comment from etr95 on 2013-09-12etr95
I'd be wary of any security system where the weakest link is a body part. I wonder how long it will take before we see the first "thieves cut off iphone user's finger" story?]]>
2013-09-12T10:47:00Z2013-09-12T10:47:00Ztag:www.schneier.com,2013:/blog//2.5002-comment:1723486Comment from etr95 on 2013-09-12etr95
Japan introduced fingerprinting of foreigners on entry to the country after 9/11 as an "anti-terror" measure (Apparently all terrorists are foreigners, or all foreigners are terrorists, or something). In practice, it is more often seen as an anti-immigration measure. It hasn't proved 100% effective:'Fake fingerprint' Chinese woman fools Japan controls (BBC News).
]]>
2013-09-12T10:41:34Z2013-09-12T10:41:34Ztag:www.schneier.com,2013:/blog//2.5002-comment:1722621Comment from ipmi on 2013-09-12ipmi
@Markus: "@Winter - those aren't on PCs, just server motherboards."

]]>
2013-09-12T07:57:43Z2013-09-12T07:57:43Ztag:www.schneier.com,2013:/blog//2.5002-comment:1722453Comment from Friends on 2013-09-12Friends
My question is short.
I have a few trusted friend whom I have told my PIN code to my phone. It's useful. If I'm busy, I may see a reply and hand my phone to them and say "could you just reply for me please and dictate to them as I do something tricky for them with two hands myself. My dad does it if he's driving - I'll answer his phone and I know his passcode. Adding individual fingerprints to the database is a fucking hassle. I'm not adding mine, my dads, my best friends, etc etc etc. what do I do now?]]>
2013-09-12T07:21:09Z2013-09-12T07:21:09Ztag:www.schneier.com,2013:/blog//2.5002-comment:1720694Comment from random_visitor on 2013-09-11random_visitor
What are the chances that the iphone owner's prints are on his own phone ?
To me it looks the same as putting the key under the rug in front of the door it opens.]]>
2013-09-12T02:05:53Z2013-09-12T02:05:53Ztag:www.schneier.com,2013:/blog//2.5002-comment:1720299Comment from Bob Bokken on 2013-09-11Bob Bokken
Regarding the "me button" on the Apple iPhone 5s:

-- Every iPhone 5s phone will be effectively tied to a real person in an almost incontrovertible manner, provided the real person has submitted his/her prints anywhere/anytime in the past. This means every website, every email message, every app used, every password entered, every text, every picture, etc.

-- It would be incredibly simple for Apple to watermark all the digital images produced by an iPhone with a concise, perhaps undetectable, electronic representation of the current user's fingerprint, so if you take a picture and send it to someone, it will be easy to track it back to you.

-- Technically every single action that you take on your phone will be tied to you, by fingerprint. There will be a "logon" record of a print, various user actions, and then a "logoff" record of a print. Dependent on what the user does, there will also be some set of additional print records captured as the user presses the home button during the course of normal phone usage.

-- As this usage data is "moment in time", it allows reasonably non-noisy tracking who is using the phone at any given moment, quite helpful for gathering data on families, extended families, friends, significant others, and, of course, black market networks. For the most part, it will be quite easy to tell who did what on the phone.

-- It would be relatively easy to make a device that takes as input the giant database of existing captured prints and then gives a fingerprint scanner the representative electrical signals. In practice, it probably wouldn't work 100%, as they would have to make some guesses about the electrical properties of a wide variety of fingers, but it would give law enforcement a quick way of unlocking many things secured with a modern fingerprint lock, such as the new Apple phone. If there is a proliferation of similar fingerprint locks, say across multiple electronic devices, then all it takes is one "key" to open all the locks.

-- Of course, it is even more likely that the iPhone 5s has a "master print" built into the chip that unlocks any device. Given the various news articles recently, this wouldn't be surprising in the least. All one would need is an e-finger that emits the proper "master print" unlock signal. This doesn't even have to be anything like a finger, just something that can adequately send signals to the Authentec sensor.

-- The likelihood of Apple collecting all the biometric data from the millions of "me buttons"... and not sharing it with the NSA and others... is precisely zero. With all that has been revealed about the NSA-Apple partnership, it is clear that the NSA is calling the shots and will have access to all the "me button" data. It would be virtually impossible for anyone to detect whether or not this data had been shared, so there is little to no downside of collecting it to Apple and all sorts of potential upsides for Apple, the NSA and others.

On the whole, the "me button" seems like a small gain in casual security, i.e. temporary and mostly meaningless safety, but at the price of a large loss in liberty, i.e. the ability for me to be secure in my possessions and my communications.

]]>
2013-09-12T00:56:10Z2013-09-12T00:56:10Ztag:www.schneier.com,2013:/blog//2.5002-comment:1720225Comment from dimitris on 2013-09-11dimitris
Fingerprint readers can indeed be useful at the convenience end of the access control spectrum.

On a phone, fingerprints can be very useful for selective access control. Given "locked screen" state:

- Left middle finger / "Salute to authority": Immediately shuts down device (and good luck with the LUKS key).

It is asserted to be true that for individual i that
forensicDNA(DNA(i,t1)) = forensicDNA(DNA(i,t2)) where t1 and t2 are separate instances of time in the lifetime of individual i. DNA is the function of taking a DNA sample from individual i and forensicDNA is the function of making the DNA fingerprint/hash of a DNA sample.

It is asserted to be true that for (distiinct) individuals i and j that the probability of
forensicDNA(DNA(j)) = forensicDNA(DNA(i)) is infinitessimally small. ie that it is "legally safe" to take
forensicDNA(DNA(i)) = forensicDNA(DNA(j)) if and only if i = j

]]>
2013-09-12T00:24:09Z2013-09-12T00:24:09Ztag:www.schneier.com,2013:/blog//2.5002-comment:1720121Comment from RobS on 2013-09-11RobS
Damn this English language -
The iPhone "fingerprint" is almost certainly not a "fingerprint". The iPhone has a sensor and software that compares "sensor stuff" against "registered sensor stuff" and authenticates if they are "sufficiently similar". A "fingerprint" is a latent image or inked image of the ridge pattern on a human finger which can be compared for similarity by a forensic expert. There is absolutely no reason to believe that the biometric sensor stores a ridge pattern or that it stores anything that could be recognised by a forensic expert. Also, DNA is not the same as "forensic DNA". DNA is a (very likely to be unique to an individual), enormously complex molecule. "forensic DNA" is a sequenced set of the lengths of a few pieces of DNA that has unknown uniqueness properties (and that is ignoring possibilities of contamination, processing error ...)]]>
2013-09-12T00:16:02Z2013-09-12T00:16:02Ztag:www.schneier.com,2013:/blog//2.5002-comment:1720083Comment from RobertT on 2013-09-11RobertT
@Marc
PUF's are just today's version of magic-pixie-dust, truth is PUF's only exist in the minds of those people lacking the technical skills to reveal a PUF;s secrets.

If you really want to understand what I'm saying than abandon the futile search for better PUF's and become a real world expert on high tech failure analysis. Once you've skilled up in this area come back and address the original PUF concept.

]]>
2013-09-12T00:03:04Z2013-09-12T00:03:04Ztag:www.schneier.com,2013:/blog//2.5002-comment:1719530Comment from wb on 2013-09-11wbhttp://wurstball.de/143010/http://wurstball.de/143010/ ; what else ?]]>
2013-09-11T21:02:14Z2013-09-11T21:02:14Ztag:www.schneier.com,2013:/blog//2.5002-comment:1719498Comment from Alan Kaminsky on 2013-09-11Alan Kaminsky
Here's the correct way to do biometric authentication:

]]>
2013-09-11T20:19:53Z2013-09-11T20:19:53Ztag:www.schneier.com,2013:/blog//2.5002-comment:1719317Comment from Daniel on 2013-09-11Daniel
I see Apple's move in a different light. It really isn't about securing phones but about the security-corporation complex conditioning people to accept biometrics as a "normal" part of life, in the same way that fingerprinting kids did to parents. If some phones are secured as a by-product that is a nice secondary effect.

]]>
2013-09-11T20:03:40Z2013-09-11T20:03:40Ztag:www.schneier.com,2013:/blog//2.5002-comment:1719227Comment from Jim Bo on 2013-09-11Jim Bo
The problem with Biometrics is that it solves the wrong problem. Authentication "Who you are" isn't the concern, its authorization "what you can do" You can solve who you are with a human (guard, security officer...), it works exceptionally well everywhere except Hollywood movies.]]>
2013-09-11T19:36:32Z2013-09-11T19:36:32Ztag:www.schneier.com,2013:/blog//2.5002-comment:1719224Comment from Manlio on 2013-09-11Manliohttp://www.gsslatino.com.mx
The security its a essentials problem in the new gadgets, but the design and the image..thats moving the MKT engine...
I think so that, the iphone is a new history with bad men, bad engineers, good designs, with new ideas....no matter whos, no matter when, no matter where.....
Its here...

Wouldn't your fingerprints be right on the phone itself? Prints can be lifted, replicated, etc. The average iphone thief is just after the hardware, and may take advantage of any creds he can get his hands on. But if somebody is after your iphone data, then yes, your fingerprints are all on it.

The question was about building/enlisting secure private cloud. I assume he will want to use servers for that cloud, not PCs.

]]>
2013-09-11T19:22:37Z2013-09-11T19:22:37Ztag:www.schneier.com,2013:/blog//2.5002-comment:1719117Comment from nick s on 2013-09-11nick s
"Its really intended for the 50%+ of people who don't lock the phone at all!"

And for the people who, when asked to reauthenticate for things like iTunes purchases, consider it such a pain that they systematically weaken their passwords in order to avoid repeated failures.

One might consider that they get what they deserve, but strong password auth in mobile contexts is a problem, especially for people who don't have password experience in desktop/laptop computing. Touchscreens and software keyboards aren't amenable to complex passwords, and don't provide the feedback of physical keyboards.

This isn't to downplay the issues of using fingerprints for account services on top of simple unlocking, even if it's mediated by the Keychain API, but to contextualize the existing baseline.

]]>
2013-09-11T19:06:21Z2013-09-11T19:06:21Ztag:www.schneier.com,2013:/blog//2.5002-comment:1719008Comment from Marc on 2013-09-11Marc
One way to implement such taking the sensor and interweave it with a Physical Unclonable Function (PUF) or a controlled PUF. A PUF has the same properties as a random secure hash function. In addition, it has a unclonable properties that protects agains invasive attacks (i.e. scraping off layers of the cpu in order to detect it workings ). The intrinsic properties of PUF can be used for secure key storage as well as secure channel setup, which make it ideal for such as finger print scanner. ]]>
2013-09-11T18:32:38Z2013-09-11T18:32:38Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718975Comment from AlexT on 2013-09-11AlexT
Just one question that comes to mind: what about self incrimination ? We all heard about the issues on coercing someone to relinquish a password - I don't think the case has been yet fully decided. But what about refusing to put your finger on the reader ? Is that something you can legally refuse ? What about (physically) forcing you to do it ? Any (legal) opinions !?]]>
2013-09-11T18:27:16Z2013-09-11T18:27:16Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718955Comment from Kevin an Auditor on 2013-09-11Kevin an Auditor
@Kevin

If biometrics are used to secure data, the NSA has an interest. Additionally, the NSA does not exist in a vacuum. It is supposed to share its "product" (after suitable cleaning to disguise the source) with not only other intelligence agencies, but also relevant "customers" (i.e. State, Treasury). The fingerprint of a certain Mr. or Ms. "Vowel - Overflow" might be a valuable trading card for the NSA. Fingerprints are used in traditional espionage investigations to determine, for instance, who has handled a document.

I believe the NSA has already demonstrated a clear hoarding pathology.

]]>
2013-09-11T18:23:29Z2013-09-11T18:23:29Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718878Comment from Al on 2013-09-11Al
What about privacy issues? What are the possible (worst-case-scenario) consequences of letting an IT company have your fingerprints?]]>
2013-09-11T18:08:46Z2013-09-11T18:08:46Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718875Comment from Scared on 2013-09-11Scared
@ Nicholas Weaver
"If the NSA wants your fingerprints, they just ask the DMV..."

Yeah, but can the DMV tell the NSA exactly which phone to track?

And what about false positives? How unique is the finger-print data that's used? 99.9% accuracy might be good enough as an access condition, but what if your finger print looks almost like Mr. Snowden's?

]]>
2013-09-11T18:08:20Z2013-09-11T18:08:20Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718806Comment from Dominic on 2013-09-11Dominichttp://www.domstechblog.com
Solid Post Bruce! Interesting points and I do agree that their exists the possibility for security holes with this new biometric system on the iPhone. I also think, that for the average person, this won't be an issue. For the average person, just setting up some type of security, whether it be a pin for a fingerprint, is going to go a long way. I could see someone with very important info on their phone being slightly worried though.]]>
2013-09-11T17:51:35Z2013-09-11T17:51:35Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718785Comment from 12345 on 2013-09-1112345
If that catches, on, that is the end of burner phones and anonymity.

But who needs anonymity and secrets if you aren't doing anything wrong...

(assuming that the phone companies have to provide fingerprints with their court-required metadata dumps to the NSA)

]]>
2013-09-11T17:45:33Z2013-09-11T17:45:33Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718734Comment from P R White on 2013-09-11P R White
Hmmm.... Anybody know where I can get an armed Marine?]]>
2013-09-11T17:32:30Z2013-09-11T17:32:30Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718726Comment from Marcus on 2013-09-11Marcus
@Winter - those aren't on PCs, just server motherboards.]]>
2013-09-11T17:31:05Z2013-09-11T17:31:05Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718715Comment from Nicholas weaver on 2013-09-11Nicholas weaver
The PIN lock on the iPhone is not the SIM lock, but a lock on the phone's logic. It is brute forceable at about 1 try/s with a cable connection, no limit.
]]>
2013-09-11T17:28:47Z2013-09-11T17:28:47Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718598Comment from Cooder on 2013-09-11Cooder
Laser Surface Authentication -
Just want you security people ponder about this physical tech, which I think is pretty cool. It is not biometrics but more like "objectometrics". There are many interesting applications, just one could be unforgeable dollar bills, or if you had an LSA scanner in your computer, you could make a key out of almost any object.http://www.ingeniatechnology.com/the-lsa-technology/ ]]>
2013-09-11T17:07:31Z2013-09-11T17:07:31Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718527Comment from Winter on 2013-09-11Winter
@Petter
"I want a secure and complete private cloud which I am in full control of. Is there one?"

Probably not. Maybe if you build it yourself and disconnect the BMC/IPMI.

]]>
2013-09-11T16:56:04Z2013-09-11T16:56:04Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718519Comment from Alex on 2013-09-11Alex
My biggest issue with biometric "keys" is that they're always exposed and can't be changed. With modern cameras, it's easy to get a good high-quality picture of the human eye from quite a distance. We leave out fingerprints everywhere. So if those get compromised, how are we to secure the system from there?
]]>
2013-09-11T16:55:05Z2013-09-11T16:55:05Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718433Comment from Coode on 2013-09-11Coode
@Joe Hall, Oops. missed that! That was what I was looking for!]]>
2013-09-11T16:29:40Z2013-09-11T16:29:40Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718418Comment from Joseph Price on 2013-09-11Joseph Price
There was a great Myth Busters episode where they (supposedly) fooled even the (supposedly) high-end fingerprint scanners. Those that checked temperature and pulse etc.

I won't spoil what methods worked for them but they tried latex and photocopies....

It may not be academic the usual research but still, go watch!

]]>
2013-09-11T16:26:35Z2013-09-11T16:26:35Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718400Comment from Cooder on 2013-09-11Cooder
Q: Is there a one-way function that can be used for biometric data from fingers to protect the database from leaking to unauthorized attackers, and still enable the correct validation/invalidation of the user? This seems to be an interesting question in the light of recent events! Maybe this Q has obvious answer, but I am new to this and if so, I did not use the right search keywords.
@Bruce, 1e6 thanks for all your efforts!]]>
2013-09-11T16:21:18Z2013-09-11T16:21:18Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718354Comment from Anony on 2013-09-11Anony
Fingerprints are not a proven unique identifier. Often, partial prints are enough to get you convicted by a jury. So basically, any time there's a crime and your prints come up as a partial match on the computer, you have to prove you're innocent. Good luck with that. It's a lot harder than it sounds!

We leave fingerprints everywhere. Like all over our phones. Security wise, I've seen better ideas.

Fingerprints are trivially captured from items we touch every day. They are equally trivially reproduced. Let me see your fingerprints for a minute to xerox them, and $8 at Radio Shack for a circuit board photo etch kit, and I can forge your prints anywhere, anytime, sufficient to fool any existing security device. Heartbeat, blood flow, electrical conductivity, temperature, you name it! I can commit murder and leave your prints at the scene in the victim's blood. It's scary. Why would you willingly put your prints into a database?

It's also troubling how folks are actively prevented from proving fingerprints are unique. You're not allow access to the fingerprint databases if you want to test that hypothesis. At the very least, we would expect some duplicates through the birthday paradox.

As far as I know, and I have several kids, the SSN only requires footprints, not fingerprints. Perhaps they've changed it recently...

I know I just found out I need to submit my fingerprints, and pay a fee, to run a lunchtime computer club at my kid's school. Utter joke security. Trivial to fake and bypass. But somebody somewhere is building a database. Guess what I'm not doing now. I'll teach my kids at home. Their classmates will lose out.

]]>
2013-09-11T16:11:37Z2013-09-11T16:11:37Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718342Comment from parkrrrr on 2013-09-11parkrrrr
Its really intended for the 50%+ of people who don't lock the phone at all!

If a phone manufacturer wants me to lock my phone, they need to provide a way that I can lock it and disable or remove the "Emergency Call" button.

The only reason I don't lock my (stock, currently not reflashable) Android phone is that if I do lock it, it will eventually dial 911 while in my pocket. This is not theoretical - it has done so before.

I want a secure and complete private cloud which I am in full control of. Is there one?

Yes, but it's different. The regulars all do the same thing, the only difference being whether you have the keys or they do. That translates to who gets blamed when your stuff gets hacked. There are advantages and disadvantages of both. But, yes there is a different solution, and it's cool, but it's different, and sadly no one wants different.

]]>
2013-09-11T15:56:54Z2013-09-11T15:56:54Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718129Comment from Aspie on 2013-09-11Aspie
This sounds like the gimmick IBM offered on its T60 laptops.

As biometrics go it's not very secure - perhaps a front-facing camera with an appropriate lens could do a retina scan as they do at airports now?

ST, I find all this attachment to personal communicators bewildering. I carried a mobile for 10 years until I realised that it was more of an intrusion than a convenience. I have a mobile - basic, pay as you go, bought with cash - which I carry (turned off - much to the chagrin of people who expect me to be instantly available) only for emergencies.

The social expectation that people should carry "trackers" like these is becoming so entrenched that it's a form of peer-pressure. Those who don't carry are considered "odd". A psychology that the marketers have doubtless embraced.

]]>
2013-09-11T15:13:16Z2013-09-11T15:13:16Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718094Comment from DD on 2013-09-11DD
As much as I'm apprehensive of the TouchId, I don't understand the reaction of people from US talking about the NSA getting access to their fingerprints. Don't the US citizens already give nice and clean fingerprints to the govt when they get an SSN. (And passport too, I think?)

Also, visitors to the US give nice clean fingerprints to the US Govt at the immigration.

So what backdoor are you exactly worried about?

]]>
2013-09-11T15:06:06Z2013-09-11T15:06:06Ztag:www.schneier.com,2013:/blog//2.5002-comment:1718076Comment from Joe Hall on 2013-09-11Joe Hallhttps://www.cdt.org/
Just as I'd thought an initial paper in 2007 about using slow symmetric hash functions on features within a template and then performing matching in hash space:

]]>
2013-09-11T15:00:43Z2013-09-11T15:00:43Ztag:www.schneier.com,2013:/blog//2.5002-comment:1717973Comment from Joe Hall on 2013-09-11Joe Hallhttps://www.cdt.org/
A centralized DB for iCloud auth based on fingerprints could be hashed (using slow password hashes) fingerprint templates (not entire images)... although not sure if matching an input template that is password-hashed can allow for confidence-level calculations of features. Certainly could do a threshold calculation where some subset of hashed feature/locations would have to be present in the input as compared to the reference. Someone must have solved this problem and I'm just sitting here babbling.]]>
2013-09-11T14:33:35Z2013-09-11T14:33:35Z